redline | 1773f8e303141bad880cc8143f1f75ddb7f6059241408c05be0b2986c90cad68 | Triage

Submit
Reports

Overview

overview

Static

static

3

QUOTATION#09678.exe

windows7-x64

QUOTATION#09678.exe

windows10-2004-x64

Sharing

General

Target

QUOTATION#09678.exe
Size

2.7MB
Sample

241031-r492faylbw
MD5

5b3703237f7103c30865e5297818ed6c
SHA1

80bbadedd0379f935e95fa329a1794cf6ac50bc2
SHA256

1773f8e303141bad880cc8143f1f75ddb7f6059241408c05be0b2986c90cad68
SHA512

f7f650fb7b2b508815b424b773a71de4627e43b38508924e9531cb05f770daa3c1cc0c562018a785249dc78e480654a0f96c01825da7c37d060016cacb0b57cd
SSDEEP

12288:AVLxvRktNny6moEXPc51VX90EePLa+ILVOAvR2QD:+VvANnytoEXKluPu+cvR2QD

Score

10^/10

redline sectoprat nwa discovery evasion execution infostealer rat spyware trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

QUOTATION#09678.exe

Resource

win7-20240903-en

redline sectoprat nwa discovery evasion execution infostealer rat spyware trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

QUOTATION#09678.exe

Resource

win10v2004-20241007-en

redline sectoprat nwa discovery evasion execution infostealer rat spyware trojan

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

nwa

C2

94.141.120.6:55123

Targets

- Target
  
  QUOTATION#09678.exe
- Size
  
  2.7MB
- MD5
  
  5b3703237f7103c30865e5297818ed6c
- SHA1
  
  80bbadedd0379f935e95fa329a1794cf6ac50bc2
- SHA256
  
  1773f8e303141bad880cc8143f1f75ddb7f6059241408c05be0b2986c90cad68
- SHA512
  
  f7f650fb7b2b508815b424b773a71de4627e43b38508924e9531cb05f770daa3c1cc0c562018a785249dc78e480654a0f96c01825da7c37d060016cacb0b57cd
- SSDEEP
  
  12288:AVLxvRktNny6moEXPc51VX90EePLa+ILVOAvR2QD:+VvANnytoEXKluPu+cvR2QD
Score

10^/10

redline sectoprat nwa discovery evasion execution infostealer rat spyware trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Windows security modification
  evasion trojan
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

redlinesectopratnwadiscoveryevasionexecutioninfostealerratspywaretrojan

behavioral2

redlinesectopratnwadiscoveryevasionexecutioninfostealerratspywaretrojan

© 2018-2025

Terms | Privacy